Trojan 'kidnaps' data

Experts warned computer users on Wednesday of a Trojan that could steal their data and try to sell it back to them.

Zippo-A (also known as CryZip) searches for word documents, database files and spreadsheets, and converts them to password encrypted zip files on the user's computer. A file is then created that instructs users to pay $300 (£170) to an e-Gold account to recover their data.

Antivirus company Sophos said that although there had been no widespread outbreak, it could be part of a trend of "ransomware" — malware that attempts to extort money from users.

"This is most interesting as an extension of a growing trend of Russian ransomware. This is the first time we've seen this in the UK," said Graham Cluley, senior technology consultant at Sophos.

"Companies who have made regular backups may be able to recover easily, but less diligent businesses may be in a quandary about whether to cough up the cash," Cluley said.

Users with infected PCs are instructed that once they have paid, they will be sent a password to decrypt the files. However, affected files can be decrypted using the password C:\Program Files\Microsoft Visual Studio\VC98.

Sophos discovered this key by disassembling the Trojan.

The antivirus company said it had tried to contact e-Gold to let them know a number of their accounts were being used for extortion. Sophos had not heard back from e-Gold.

"The e-Gold accounts may have been set up using a false ID," said Cluley.

e-Gold, an Internet payment service run by US company Gold & Silver Reserve, was unavailable to give ZDNet UK comment at the time of writing.

Sophos had not yet contacted the police.

"All the authorities need to do is follow the money trail. We haven't approached the police about this yet — we normally contact the ISPs involved. With 2,000 new pieces of malware seen each month, law enforcers would just be swamped," said Cluley.

Businesses need to advise users to be extremely careful about which programs they choose to run, and to update with the latest Microsoft patches, according to Sophos.